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This paper attempts to accurately model security requirements for computational grid environments 
with particular focus on authentication. We introduce the Audited Credential Delegation (ACD) 
architecture as a solution to some of the virtual organisations (VO) identity management usability 
problems. The approach uses two complementary models: one is state based, described in Z no- 
tation, and the other is event-based, expressed in the Process Algebra of Hoares Communicating 
Sequential Processes (CSP). The former will be used to capture the state of the VO and to model 
"back-end" operations on it whereas the latter will be used to model behavior, and in particular, 
"front-end" interactions and communications. The modelling helps to clearly and precisely under- 
stand functional and security requirements and provide a basis for verifying that the system meets its 
intended requirements. 

1 Introduction 

The mission of a Virtual Organisation (VO) is to offer a simplified end user access to and use of high 
performance computing resources shared across a number of different institutions with different admin- 
istrative security domains. A typical example of a VO is the computational grid, which aims to provide 
control over distributed resources consisting of enormous computational power (parallel processing ma- 
chines), data storage (hard disks, memory) and visualisation on high speed networks. Examples of 
currently operating grids include: the UK National Grid Service (NGS) ifTOl and US TeraGrid [14]. 
The sharing of these resources is intended to support academic research and industrial development. A 
computational grid environment may consist of a mixture of several kinds of organisations including 
academic, governmental, industrial and commercial institutions (will be referred to as "Sites" in this 
paper). 

One major problem faced by end-users and administrators of VOs is to do with the usability of the 
security mechanisms usually deployed in these environments EHH, in particular identity management 
solutions. Many of the existing computational grid environments use Public Key Infrastructure (PKI) 
and X.509 digital certificates [6] as a corner stone for their security architectures. However, security 
solutions based on PKI have to be usable to be effective. Some of the common grid identity management 
encountered include: adding and removing users, acquiring and using digital certificates. End-users, 
such as scientists who are not security experts, are concerned with the results of the computations they 
perform on the grid. Many of the existing grid middleware, such as Globus and Unicore lH, require that 
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the end-user creates a short hved certificate, known as proxy certificate, prior to running application on 
the grid. In addition, many users engage in practices which weakens the security of the grid environment, 
such as the sharing of the private key of a single personal certificate because acquiring certificates can be 
a lengthy process 1 1 1. 

We introduce the Audited Credential Delegation (ACD) architecture as a solution to some of the 
above problems and we present a formal model of this architecture. The proposed solution carefully 
hides the use of digital certificates from end-users and enables them to acquire credentials from their local 
site administrators. It also enables the latter to to create/remove user accounts in a more efficient way. 
A combination of state-based model, described in Z notation jlSl . and event-based model, expressed 
in the Process Algebra of Hoares Communicating Sequential Processes (CSP) f5l is used to model the 
architecture. Z is widely used in industry for modelling complex and large systems. It will be used 
to capture the state of the VO components and to model "back-end" operations on it whereas the latter 
wiU be used to model behavior, and in particular, "front-end" interactions and communications. Both 
notations have clear and precise semantics. The Z descriptions in this work have been type checked with 
ZTC tool. The modelling helps to clearly and precisely understand functional and security requirements 
and provide a basis for verifying that the system meets its intended requirements. There are several 
formal frameworks that combine state-based and event-based approaches and can also be used to have 
a clear and concise model of this architecture, such as Circus in fF] and CSP||B in (TT]. Circus also 
combines Z and CSP. In this work we are interested in modelling the VO architecture and the nature of Z 
as a pure specification language |[T5l . with a purer mathematical notation is therefore more appropriate 
than VDM and B because they are more akin to conventional programming languages, and hence why 
refinement into code is easier with these languages. 

The remainder of this paper is organized as follows. Section 2 gives a brief overview of the proposed 
VO architecture. Section 3 and 4 present formal state-based models of the authentication components 
followed by a CSP description of their pattern of interactions. Section 5 presents our conclusion. 



2 Overview of Proposed Architecture 

The physical infrastructure of this VO involves a separate administration site and a dedicate gateway 
service, which is armed at hiding digital certificates from end-user environment. 
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Figure 1 : Audited Credential Delegation Architecture 
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The gateway is responsible for identity management and consists of the following components: (1) Cre- 
dential repository that stores certificates and their corresponding private keys in order to communicate 
with the computational grid. It also maintains a list of active proxy certificates, their corresponding 
privates key and an association between users and proxies. The main role of this component is to en- 
able local site users to authenticate to external sites in the grid. (2) Local Authentication Service (LAS) 
component that enables authenticating local site users within their organization using a locally provided 
usable authentication mechanism rather than digital certificates. The LAS can support several types of 
authentication mechanisms that scientists are used to such as Kerberos Q, Shibboleth |[T3l or a local 
password database maintained at the gateway. End-users interact only with this component of the gate- 
way. (3) An authorization component that controls requests issued from local site users to Grid resources. 
In this paper the focus is on the local and external authentication components. The gateway will be inte- 
grated with the Application Hosting Environment (AHE) ifTTI . which allows scientists to run application 
codes on grid resources; manage the transfer of files to and from the grid resources; and allow the user 
to monitor the status of application instances that are run on the grid resources. This way it becomes 
possible to identify legitimate users and to ensure that only those legitimate users are allowed access 
to grid resources according to the policy defined on the grid projet. In this model, a scientist can login 
locally using a usemame/password pair for the whole session and run applications on the grid via the 
AHE server in a controlled manner. We are hoping to be able to deploy this solution within AHE for use 
on TeraGrid, NGS and DEISA within the next 12 months. 



3 VO Internal Authentication 



The aim of this component is to enable end-user to authenticate locally using a username-password 
mechanism. To be authenticated, a user must show knowledge of a valid username/password pair that 
matches an entry in an authentication table, which can be a database or a password file. In this work, 
a simple database password is considered for simplicity. In future work. Shibboleth and Kerberos can 
also be used in the architecture. One of the techniques used for implementing this approach is to store 
the hash of a salted password rather than the password itself in clear text. This way it is possible to 
know that the user knows the correct password without ever having to store the original password on the 
authentication server. 



AddCcit RcmovcCcit AddProxy CreatcProxy KillProiy 

^^^^^ 
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Figure 2: Local Database and Credential Repository that store digital Certificates, proxies and users' 
credentials 
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3.1 State-Based Model of the Local Authentication Component 

Let UserlD and Data be abstract types for denoting the set of all usemames, passwords and encrypted 
passwords. 

[UserID,Data\ 

State: The state of the local database authentication server comprises: a set of registered users; a partial 
function pwdDB that associates each userlD with one encrypted password; partial function that associates 
each user with a salt; and a partial function encrypt that is used to encrypt/hash clear text passwords. The 
invariant ensures that every registered user must have a password and that every user has an associated 
salt. The model can be described in Z as follows: 

DB_LAS 

registered-Users : ¥ UserlD pwdDB : UserlD -e- Data 
salting : UserlD -e- Data encrypt : Data -i^ Data 

registered— users = dompwdDB A dompwdDB = dom salting 



Authentication Component Operations: The set of operations considered on this component are shown 
in Figure |2l We only present the following operations on the DB_LAS: Login, ChangePassword and 
AddCredentialhecause of space limitation. For more details about this model the reader is referred to |[3l. 
The operation Login takes a username and a password as inputs and checks whether the pair matches an 
entry in the database. The operation is described in the following Z schema: 

LoginO 

SDB_LA5 

usemamel : UserlD pwdl : Data 
encrypt{salting{usernamel) +pwdl) = pwdDB (usemamel) 



The operation ChangePassword replaces the old password for the specified username with a new pass- 
word after checking that the username and the old password suppUed by a user matches an entry in the 
database: 

ChangePasswordO 

ADB_LA5 

usemamel : UserlD pwdl : Data newpwdl : Data newsaltlData 

encrypt[salting[usernamel) + pwdl) = pwdDB (usemamel) A 
pwdDB' = pwdDB © {usemamel ^ encrypt (newsaltl + newpwdl)} 
salting' = salting © {usemamel i— )• newsaltl} 



The AddCredential operation allows adding a new user to the database. 

AddCredentialO 

ADB_LA5 

usemamel : UserlD pwdl : Data salt? : Data 

pwdDB' = pwdDB © {usemamel i-^ encrypt {saltl + pwdl)} 
salting' = salting © {usemamel i— )• salt!} 
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Let Report be a data type, the values of which are messages indicating whether an operation has been 
successful or has failed. 

Report :: = Success \ Failure 

Precondition of each Operation: The precondition of the operations Login and ChangePassword is 
that the usemame and password pair match an entry in the database. The precondition of the opera- 
tion AddCredential is that the chosen usemame must not be already in use. The precondition for each 
operation can be defined in Z as follows: 

pre Login = {usemamel,encrypt{salting{usemamel)+pwdl)) EpwdDB 

pre ChangePasswordO = {usernamel,encrypt{salting{usemamel) +oldpwd'})) G pwdDB 

pre AddCredentialO = usemame! ^ dompwdDB 

Totalizing: The totaUsing technique is used to handle errors resulting from not meeting the above pre- 
conditions. An error may arise because the usemame doesn't exist, 

UserlDNotlnUse 

EDBJ^AS 

usemame! : UserlD athrepl : Report 
usemame! ^ dompwdDB A athrepl = Failure 



or the combination of usemame and password is wrong: 

InvalidCredential 

ZDB_LAS 

usemame! : UserlD pwd! : Data 
authenticationdecisionl : Report 

-1 {encrypt (pwd!) = pwdDB (usemame!)) A authenticationdecisionl = Failure 



A successful operation will result in the same report: 



Op Success 
authenticationdecision I 


: Report 


authenticationdecision I 


= Success 



The Authentication component's operations will then be modeled as follows: 
Login = (LoginO A OpSuccess) V InvalidCredential 

ChangePassword = {ChangePasswordO A OpSuccess) V UserlDNotlnUse V InvalidCredential 
AddCredential = {AddCredentialO A OpSuccess) V UserlDInUse 

Initialization: The initial state of the authentication server component is described as follows: 
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DB_LASInit 

AuthenticationCredential' 

registered— users' = {ali, mark John] 

pwdDB' = {{all, 6fScac5b9946S7f 7 a056l9c3324pc5e), 

{mark, Sdl37ac4eec0dfS9f0S9540ac\9ac99c), (John, a4375b7cc75ll652d0029cbM'^^69)} 



In this initialization, the hashes of the passwords are generated using MD5 hash [91 • The usemame/password 
pairs memorized by the users are: {ali,pwdx), {mark, mrk3000), {John, wndl9i0) 

3.2 Modelling the User 

The model of a user focuses primarily on the security knowledge that the user must possess and maintain 
for the purpose of authentication. The abstract state of a user, User, comprises three components: (1) 
U-names, set of usernames held by the user (also known as principal); and (2) u_password, a function 
that associates each principal with a plain password. The state of a user can be formulated in Z as follows: 

User 

U-names : FUserlD u^assword : User ID Data 

domu— password = u_names 



The invariant states that each usemame has exactly one password. 

3.3 Event-Based Model of the Local Authentication Component 

We derive the CSP interface of the authentication server from the Z specification. This description has 
been structured as follows: 

• State = DB_LAS. 

• Operations = {Login , ChangePassword, ResetPassword, AddCredential,RemoveCredential,Logout}. 

• Preconditions of each operation. For instance, for the login operation: 
Login: {usernamel ,encrypt{salting{usemamel) + pwdl)) ^pwdDB 

• Initial WS state = DB_LASInit, totalizing the operations and adding reports to handle incorrect 
inputs. 

The interface of the authentication server is: 

aDB = {Login, LoginRequest ,LoginResponse , ChangePassword, ChangePasswordRequest , 
ChangePasswordResponse, ResetPassword, ResetPasswordRequest,ResetPasswordResponse, 
AddCredential,AddCredentialRequest,AddCredentialResponse,RemoveCredential, 
RemoveCredentialRequest ,RemoveCredentialResponse , Logout, LogoutRequest, LogoutResponse} 

The behaviour of the authentication server is modelled by the CSP process DB shown below. The de- 
scription doesn't consider the pattern of interactions corresponding to the operations ResetPassword, 
RemoveCredential and AddCredential, because this depends on the role of the authenticated user. For 
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example, only an authenticated user holding an administrator role can add/remove other users and reset 
passwords. 



DB{State) = LOGIN{state) 

LOGIN{state) = Login LoginRequestl{usernamel ,pwdl) 
{LoginResponse\{authenticationdecision\ \ ^ Success) 

AUTH{u) <\ pre Login{usemamel,pwdl) \> 
LoginResponse\{authenticationdecision\ Failure) DB {(state))) 
AUTH{u) = CHGPWD{state) □ LOGOUT {state) 
CHGPWD {state) = ChangePassword 
ChangePasswordRequestl{usernamel jOldpwdl ,newpwdl) 
{ChangePasswordResponse\{athrep\ ^Success) — > 

AS{state') <\ pre ChangePassword{username7,oldpwd7,newpwdl) ]> 
ChangePasswordResponse\{athrep\ -^Failure) AUTH{u)) 
LOGOUT {state) = Logout — )■ LogoutRequestl{usemamel) 

{LogoutResponse\{athrep\ ^Failure) AS {state) <| pre Logout {use rnamel) j> 
LogoutResponse\{athrep\ ^Failure) DB {state)) 



Login 







DoLogin 


1 


1 


DoLoginRequest 




}oLoginResponse 




LoginResponse 



Figure 3: Client and Database Server models 

So for example, a user with a valid username and password, say ali and pwdx respectively, can be 
authenticated by the server by issuing the following sequence of interactions: 



CLIENT! = DoLogin — )• DoLoginRequest\{usemamel ^ ali,pwdl 6f....fbc5e) 
—7- DoLoginResponselauthenticationdecision ! SKIP 
where encrypt{pwdx) = 6/8cac5&994687/7£?05619c3324/fcc5e. 

The CSP operator [+0;?+] models the interaction between two processes in which the handshake is 
on the operation Op. Both processes synchronize on the channel Op. The input values flows from 
the requestor to the provider and the output values flows in the opposite direction. For instance, the 
result of CLIENT \ sequence of interactions with the authentication server is calculated using a parallel 
composition of CLIENT! and AS processes as follows: 



DB{state)[+Login+\CLIENT\ = Login 

LoginRequest\{usernamel ^ ali,pwdl 6f%cac5b99A6%lflaQ56\9c'i?>2Aft)c5e) 
LoginResponse\{authenticationdecision\ ^ Success) — )• DB {state') 
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LoginResponse 



LoginRequest 



Login 




Figure 4: Client and Database handshake on Login Operation 



4 VO External Authentication 

The credential repository is used to store digital certificates or proxy certificates for named grid projects 
and resources and their corresponding private keys to enable communication with the grid. These certifi- 
cates will be shared by a group of users and will be used to create proxy certificates. 

4.1 State-Based Model of the External Authentication Component 

The model assumes the existence of the following types: 

[UserlD, Subject, Data, Key, serialNb, CipherAlgName , CertAuthorityName] 

The state of the certificate repository comprises: a set of certificates; a set of project and resources names; 
a partial function key_association that associates each Certificate with it's corresponding private key; a 
partial function cert_association that is used to associate each project with a digital certificate; a list of 
issued proxies certificates created using the digital certificates, the proxies secret keys, association be- 
tween each proxy and the user who generated it. 

CredentialRepository 

certificates : P Certificate proxyCertificates : P Certificate 
projectsNames : ¥Name resourcesNames : FName 
key— association : SerialNb Key cert_association : Name SerialNb 
issuedproxies : SerialNb -i^ SerialNb proxylssuer : SerialNb -i^ SerialNb 
proxySecretKey : SerialNb -H- Key userProxy : SerialNb ^ UserlD 

Vc : Certificate • c € certificates A c.serial £ dom key-association A 
rancert_association C dom key— association A 
domcert association C projectsNames A 
domcert_association C resourcessNames A 

Vc : Certificate • c € proxyCertificates A c.serial € domproxySecretKey A 
doraproxySecretKey = domproxylssuer = domuserProxy 



Where proxyCertificates is the set of all active proxies; issuedproxies, a function that relates a serial num- 
ber to a proxy certificate; proxylssuer, a function that relates the proxy certificate with its issuer (signer) 
identified by a public certificate; userProxy, a function that associates a user in a site with the proxy 
certificate in a unique way; proxySecretKey, a function that associates each proxy with its corresponding 
private key. More details on modelling PKI component in Z and CSP are presented in IH.The same 
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approach as in the previous section can be applied to model operations. For instance, the administrative 
operation on the CredentialRepository , AddCertificate, takes a certificate, its corresponding private key, 
and the project with wliich it can be used as inputs. The precondition for tliis operation to succeed states 
that the certl should not already be in the list of certificates. The operation is captured in Z as follows: 

AddCertificateO 

ACredentialRepository 

certl : Certificate secretkeyl : Key project? : Name 
responsel : Report 

certl .publicKey validPKIKeyPair secretKeyl A 

certl ^ certificates A certificates' = certificates U {certl} A 

key association' = key— association U {{certl. serial, secretkeyl)} A 

cert-association' = cert-association © {projectl i-^ certl .serial} 



The operation RemoveCertificate takes a certificate as an argument and removes it with its correspond- 
ing secret key from the credential repository. The precondition states that the certl must exists in the 
certificates set. 

RemoveCertificateO 

ACredentialRepository 
certl : Certificate 

certl G certificates A certificates' = certificates \ {certl} A 
key-association' = {certl .serial} key-association A 
cert-association' = cert-association ^ {certl .serial} 



5 Conclusion 

In this paper, we have presented a formal model of a VO architecture that combines PKI and usemame- 
password mechanisms in order to provide a usable security solution for VO end-users. The model uses 
a combination of state-based and event-based approach. The consistency of Z model is checked with 
the ZTC tool. The formalism has clarified the purpose of the VO, the explicit assumptions about sites, 
users, CAs and third parties. The observation of the states enables to easily know the current capabilities 
of the user, site and the VO. For instance, it becomes clear from the model of the user that he/she will 
have to maintain only one identity to authenticate to the gateway. Also, it makes it possible to find a user 
responsible for performing a task on the grid. This allows local sites and the entity running the gateway 
to monitor who access resources for auditing and bilhng purposes. Most importantly, we have linked the 
CSP model with the Z specification in a systematic way. We derive the CSP interface of the VO from the 
Z state, operations, precondition on each operation and initial state. 
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